How to Logon with Domain Credentials to a Server in a Workgroup Johan Loos johan@accessdenied.be Version 1.0
Authentication Overview Basically when you logon to a Windows Server you can logon locally using a local username and password or you can use a username and password from Active Directory when your server is joined into a domain. What if your server belongs to a workgroup and you need to logon with your domain credentials? That s what this paper is all about. Our goal is to logon with our domain credentials even when the server is not a member of the domain. The tool used to accomplish this task is pgina. pgina is an Open Source Windows Authentication and Access Management tool to logon with a username using a backend of your choice. For example the backend can be a LDAP Server or a RADIUS Server. In the next two sections you can find the procedure how to logon to a server in a workgroup with your domain credentials if the backed authentication server is a LDAP server. In the second part you can find the procedure how to logon to a server in a workgroup with your domain credentials if the backed authentication server is a RADIUS server. pgina Installation Task List Install.NET Framework 4.0 Install VC++ 2012 Redistributable Install pgina Install.NET Framework 4.0 Double click on your.net Framework 4 file to launch the installation process How to Logon with Domain Credentials to a Server in a Workgroup 2
On the.net Framework 4 Setup page, select I have read and accept the license terms and click Install The installation progress starts On the Installation Is Complete page, click Finish How to Logon with Domain Credentials to a Server in a Workgroup 3
Install VC++ 2012 Redistributable Double click on your Visual C++ 2012 Redistributable File to launch to installation process Select I agree to the license terms and conditions and click Install The Setup process starts On the Setup Successful page click Close How to Logon with Domain Credentials to a Server in a Workgroup 4
Install pgina Double click on your pgina installation file to launch the process On the Welcome to the pgina Setup Wizard page, click Next On the License Agreement page, select I accept the agreement and click Next How to Logon with Domain Credentials to a Server in a Workgroup 5
On the Select Destination Location page, click Next On the Select Start Menu Folder page, click Next How to Logon with Domain Credentials to a Server in a Workgroup 6
On the Select Additional Tasks page, select Next On the Ready to Install page, click Install How to Logon with Domain Credentials to a Server in a Workgroup 7
On the Completing the pgina Setup Wizard page, click Finish After installation, a pgina service is created and runs under System account. LDAP Authentication How it works pgina captures the user his credentials, makes a connection to your LDAP server and verifies if the user exists in Active Directory and that the password is correct. pgina also verifies if the user is a member of a specific group. This group can be specified in the authorization process. If authentication is successful, pgina creates a local user account on the workgroup server with the same username/password as your domain user and adds the user account into a security group How to Logon with Domain Credentials to a Server in a Workgroup 8
defined in the gateway process. When the user logs off, the local user account and his profile are deleted from your workgroup server. LDAP Authentication Task List Create a LDAP user account Create and configure your LDAP Administrators group in Active Directory Configure pgina Configure LDAP plugin Configure Local Machine plugin Simulate your connection Logon LDAP Authentication Debug Create a LDAP user account Open Active Directory User and Computers from Administrative Tools Create a new user account which can be used to perform LDAP queries How to Logon with Domain Credentials to a Server in a Workgroup 9
Create and configure your LDAP Administrators group in Active Directory All members of this group are allowed to logon into a server in a workgroup via LDAP. Open Active Directory Users and Computers from Administrative Tools Create a new group and add to required users on the Members tab Configure pgina Before you can logon with your domain credentials, you need to configure some plugins. pgina delegates the logon process to plugins. Depending on the type of backend you choose. In our example the backend server is a LDAP server. The process is done in three stages: Authentication: This process validates the credentials of the user account Authorization: This process determines if the user is allowed to access resources. This is done via group membership Gateway: This process can be used to provide account management On the General page, configure the following settings o You can select a bitmap Tile Image which is displayed in the logon screen o You can enable the Message of the Day (MOTD). This message is displayed in the logon screen How to Logon with Domain Credentials to a Server in a Workgroup 10
o You can also specify a Logon Progress Message which is displayed when the user is successful authenticated Click Apply and click Save & Close Configure LDAP plugin On the Plugin Selection page, select the LDAP Plugin Select Authentication, Authorization, and Gateway checkbox and click on Configure On the Authentication page, select the following How to Logon with Domain Credentials to a Server in a Workgroup 11
o o o o o o o o In the LDAP Hosts field, type the IP address or FQDN of your LDAP Servers (Active Directory Domain Controllers) In the LDAP Port field, type the port where your LDAP server is listening on (389, or 636 for SSL) You can check the Use SSL field to perform authentication over SSL. Be sure that your domain controller has a trusted certificate and that the certificate of the Root CA is available on this server In the Search DN field, type the Distinguish name of the account which is used to bind/connect to your LDAP server. This account is also used to search in Active Directory when you launch a LDAP query In the Search Password field, type the password of your Search DN account In the Group DN Pattern field, type the Distinguish Name of the location when converting a group name to a LDAP DN In the Member Attribute field, type the LAP attribute used to store group members. If you are using the object class groupofnames,then type member Search for DN and Search Contexts to look for an account in the location you specify. In my case, I look for the samaccountname username for the location specified in Context value. You can add more contexts if you want to search in several locations in Active Directory On the Authorization page, select the following o If member of LDAP Group: Type a group which currently exists in Active Directory to authorize users from Active Directory. If the user is a member of the security group LDAP Administrators (which is available in Active Directory) then access is allowed. How to Logon with Domain Credentials to a Server in a Workgroup 12
On the Gateway page, select the following o If member of LDAP group: Verify if the user is a member of this group and add this user into a local group which exists on the local machine Click Save Configure Local Machine plugin On the Plugin Selection page, Select the Local Machine Plugin Select Authorization, Gateway, and click on Configure How to Logon with Domain Credentials to a Server in a Workgroup 13
On the LocalMachine Plugin Configuration page, select the following o Authorize all authenticated users: All authenticated users will be authorized o Remove account and profile after logout: When the user logs off, the plugin deletes the user account and the profile from that server Click Save On the Plugin Order page, move the plugins in the correct order How to Logon with Domain Credentials to a Server in a Workgroup 14
Simulate your connection On the Simulation page, type a username and password of the account which you want to use to logon and click on the Play button The result are displayed in the Result pane Click Save & Close Logon On your logon screen press CTRL+ALT+DEL and select switch user How to Logon with Domain Credentials to a Server in a Workgroup 15
Type your domain credentials to logon Press Enter to logon You are now logged on the your workgroup server and member of the local administrators group LDAP Authentication Debug pgina binds a LDAP connection to our LDAP server using our user ldapuser How to Logon with Domain Credentials to a Server in a Workgroup 16
Bind connection successfully Lookup for the user (Johan) who is logging on User found Verify if the group exists in Active Directory Group found How to Logon with Domain Credentials to a Server in a Workgroup 17
Verify if the user is a member of the LDAP Administrators group User is member of this group Unbind the connection with the LDAP server How to Logon with Domain Credentials to a Server in a Workgroup 18
RADIUS Authentication How it works pgina captures the user his credentials, and verifies if the password is correct. If authentication is successful, pgina creates a local user account on the server and adds the user account into a security group specified in the gateway process. When the user logs off, the local user account and profile are deleted from that server. Authentication between the RADIUS client and RADIUS server is done via PAP. The RADIUS client (our server) uses the shared key to encrypt the password of the user account and sends it to the RADIUS server. You can also use IPSec to secure authentication traffic between the RADIUS client and RADIUS server. RADIUS Authentication Task List Create and configure your RADIUS Authentication group in Active Directory Configure pgina Configure LDAP plugin Configure LocalMachine plugin Configure your server as a RADIUS client on Windows Server 2012 NPS Create a Network Policy on Windows Server 2012 NPS Logon RADIUS Authentication Debug Create and configure your RADIUS Authentication group in Active Directory All members of this group are allowed to logon into a server in a workgroup via RADIUS. Open Active Directory Users and Computers from Administrative Tools How to Logon with Domain Credentials to a Server in a Workgroup 19
Click OK Configure pgina Before you can logon with your domain credentials, you need to configure some plugins. pgina delegates the logon process to plugins. Depending on the type of backend you choose. In our example the backend server is a RADIUS server. On the General page, configure the following settings o You can select a bitmap Tile Image which is displayed in the logon screen o You can enable the Message of the Day (MOTD). This message is displayed in the logon screen o You can also specify a Logon Progress Message which is displayed when the user is successful authenticated How to Logon with Domain Credentials to a Server in a Workgroup 20
Click Apply and click Save & Close Configure RADIUS plugin On the Plugin Selection page, select the RADIUS Plugin Select Authentication, Notification, and click on Configure On the RADIUS Plugin Configuration page, configure the following: o Server: The IP address of your RADIUS Server o Shared Secret: Secret used to communicate with the RADIUS Server o Machine Identifier: Select an identifier, for example Machine Name Only How to Logon with Domain Credentials to a Server in a Workgroup 21
Click Save Configure LocalMachine plugin On the Plugin Selection page, select the Local Machine Plugin Select Authorization, Gateway, and click on Configure On the LocalMachine Plugin Configuration page, select the following o Remove account and profile after logout: When the user logs off, the plugin removes the user account from the group below, deletes the user account and the profile from the server o Mandatory Groups: The user account is added to the groups in the list How to Logon with Domain Credentials to a Server in a Workgroup 22
Click Save Configure your server as RADIUS client on Windows Server 2012 NPS Open Network Policy Server from Administrative Tools Expand RADIUS Clients and Servers, right click on RADIUS Clients and select New RADIUS Client On the New RADIUS Client dialog box, specify a friendly name and IP address How to Logon with Domain Credentials to a Server in a Workgroup 23
Click on Advanced, uncheck or check the required options How to Logon with Domain Credentials to a Server in a Workgroup 24
Click OK Create a Network Policy on Windows Server 2012 NPS From the Network Policy Server Console, right click on Network Policies and select New On the Specify Network Policy Name and Connection Type page, type a name for your policy and click Next How to Logon with Domain Credentials to a Server in a Workgroup 25
On the Specify Conditions page, click Add From the Select Condition dialog box, add the following Windows Groups Workgroup Authentication, and click Next On the Specify Access Permissions page, select Access Granted and click Next How to Logon with Domain Credentials to a Server in a Workgroup 26
On the Configure Authentication Methods page, clear all authentications methods and select only Unencrypted Authentication (PAP,SPAP) and click Add On the Configure Constraints page, click Next How to Logon with Domain Credentials to a Server in a Workgroup 27
On the Configure Settings page, click Next On the Completing New Network Policy page, click Finish How to Logon with Domain Credentials to a Server in a Workgroup 28
Logon On your logon screen press CTRL+ALT+DEL and select switch user Type your domain credentials to logon How to Logon with Domain Credentials to a Server in a Workgroup 29
Press Enter to logon You are now logged on the workgroup server and member of the local administrators group RADIUS Authentication Debug RADIUS client sends Accept-Request authentication request RADIUS server sends Accept-Accept request Encrypting RADIUS traffic with IPSec Task List You can use IPSec to further encrypt authentication traffic. Create an Inbound rule on your RADIUS server Create a Connection Security Rule on your RADIUS server (NPS Server) How to Logon with Domain Credentials to a Server in a Workgroup 30
Create a Connection Security Rule on your RADIUS client (workgroup server) Monitor Security Associations Create an Inbound rule on your RADIUS server Open Windows Firewall with Advanced Security from Administrative Tools Right click on Inbound Rule and select New Rule On the Rule Type page, select Port and click Next On the Protocols and Port page, select Specific local ports and type 1812 On the Action page, select Allow the connection if it is secure and click Customize How to Logon with Domain Credentials to a Server in a Workgroup 31
On the Customize Allow if Secure Settings page, select Require the connection to be encrypted and select Allow the computers to dynamically negotiate encryption and click OK How to Logon with Domain Credentials to a Server in a Workgroup 32
On the Users page, click Next How to Logon with Domain Credentials to a Server in a Workgroup 33
On the Computers page, click Next On the Profile page, click Next On the Name page, type a name for your rule and click Finish How to Logon with Domain Credentials to a Server in a Workgroup 34
Create a Connection Security Rule on your RADIUS server (NPS Server) Right click on Connection Security Rules and select New Rule On the Rule Type page, select Server-to-server and click Next On the Endpoints page, add the IP address of your workgroup server, and click Next How to Logon with Domain Credentials to a Server in a Workgroup 35
On the Requirements page, select Require authentication for inbound and outbound connections, and click Next On the Authentication Methods page, select Advanced and click Customize How to Logon with Domain Credentials to a Server in a Workgroup 36
On the Customize Advanced Authentication Methods page, click Add On the Add First Authentication Method page, select Preshared key and type a pre-shared key How to Logon with Domain Credentials to a Server in a Workgroup 37
Click multiple times OK and click Next On the Profile page, click Next How to Logon with Domain Credentials to a Server in a Workgroup 38
On the Name page, type a name and click Finish Create a Connection Security Rule on your RADIUS client (workgroup server) Right click on Connection Security Rules and select New Rule On the Rule Type page, select Server-to-server and click Next On the Endpoints page, add the IP address of your workgroup server, and click Next How to Logon with Domain Credentials to a Server in a Workgroup 39
On the Requirements page, select Require authentication for inbound and outbound connections, and click Next On the Authentication Methods page, select Advanced and click Customize How to Logon with Domain Credentials to a Server in a Workgroup 40
On the Customize Advanced Authentication Methods page, click Add On the Add First Authentication Method page, select Preshared key and type a pre-shared key How to Logon with Domain Credentials to a Server in a Workgroup 41
Click multiple times OK and click Next On the Profile page, click Next On the Name page, type a name and click Finish How to Logon with Domain Credentials to a Server in a Workgroup 42
Monitor Security Associations On your RADIUS server, expand Monitoring Security Associations Main Mode When the RADIUS client initiates a secure connection to the RADIUS server, a security association is created. IPSec Main Mode Security Association between RADIUS server and RADIUS client How to Logon with Domain Credentials to a Server in a Workgroup 43
ISAKMP Key Exchange in Wireshark ESP encrypted packets in Wireshark Expand Monitoring Security Associations Quick Mode IPSec Quick Mode Security Association between RADIUS server and RADIUS client How to Logon with Domain Credentials to a Server in a Workgroup 44
ESP encrypted packets in Wireshark Authentication traffic is now encrypted by IPSec between the RADIUS server and RADIUS client. Auditing To view auditing information on account management (create/delete user account), configure your server via a local group policy to Audit Account Management Events for Success and Failure. Open Local Security Policy from Administrative Tools Navigate to Security Settings Local Policies Audit Policy How to Logon with Domain Credentials to a Server in a Workgroup 45
If your authentication was done via LDAP or RADIUS, the user is added into the local group which you have specified above. User account is created on the workgroup server How to Logon with Domain Credentials to a Server in a Workgroup 46
User account is added to a local group on the workgroup server How to Logon with Domain Credentials to a Server in a Workgroup 47
User account is deleted (when you log off) on the workgroup server How to Logon with Domain Credentials to a Server in a Workgroup 48
Logging information retrieved from your NPS Server: The user has been granted access to the network How to Logon with Domain Credentials to a Server in a Workgroup 49
Authentication is done via the policy we have created above How to Logon with Domain Credentials to a Server in a Workgroup 50
Appendix A IP address Name Server Note 10.32.5.3 ADDEVDC01 Domain Controller Member of Active Directory 10.32.5.15 ADDEVDC04 Network Policy Server Member of Active Directory 10.32.5.11 ADDEVSRV01 Workgroup URL: http://pgina.org/ Version used: 3.1.7.1 BETA How to Logon with Domain Credentials to a Server in a Workgroup 51